Getting started with Azure AD Auth with Azure Files

As I’m writing this it should be noted that the feature itself is still in preview. Azure files has been an awesome feature that provides SMB 3 based file share to both internet based clients but also Virtual Machines running in Microsoft Azure.

Azure Files has up until now has some limitations when it comes to ACL and that it requires port 445 outbound to be able to open the file share. Now it actually supports use with Azure AD authentication (in Preview). This is using Azure AD Domain Services to get Kerberos ticket which is used for authentication against the file share service which is running outside of the virtual network.

image

This feature is not aimed at Windows 10 devices with Azure AD, but for virtual machines in Azure in combination with Azure AD domain Services that are domain joined. So in order to enable the feature you would need to have Azure AD Domain Services enabled and configured for your tenant.

To enable Azure AD Auth for SMB Files you just need to configure this under the properties of the Storage Account.

Or you can use the following AZ Script to create a new storage account with the same capabilities.

New-AzStorageAccount -ResourceGroupName "<resource-group-name>" `  -Name "<storage-account-name>" `  -Location "<azure-region>" `  -SkuName Standard_LRS `  -Kind StorageV2 `  -EnableAzureFilesAadIntegrationForSMB $true

NOTE: You still need to create the share after the storage acocunt has been provisioned.

Also after the share has been created you will need to add access to the share as well.
If can be either giving users access based upon reader role in Azure AD. Or you can use the following custom role definition

{ "Name": "<Custom-Role-Name>", "Id": null, "IsCustom": true, 
"Description": "Allows for read access to Azure File Share over SMB",
 "Actions": [ "*/read" ], "DataActions": [ "*/read" ], 
"AssignableScopes": [ "/subscriptions/<Subscription-ID>" ] }

After this access has been given to the share you must also have an virtual machine that is domain joined part of the Azure AD DS service.

To configure NTFS permissions with superuser privileges, you must mount the share with your storage account key from your domain-joined VM, with this you can also

net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> <storage-account-key> /user:Azure\<storage-account-name>

then you can use icals to grant a user access to the fileshare full permissions to all directories and files under the file share, including the root directory.

icacls <mounted-drive-letter>: /grant <user-email>:(f)

Once that is done you can then connect to the Azure files share using regular net use 

net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name>

Now there are some limitations and use-cases which you should be aware of.

  • Azure AD integration is available for the Blob and Queue services only in the preview.
  • Azure AD integration is available for GPv1, GPv2, and Blob storage accounts in all public regions.
  • Only storage accounts created with the Resource Manager deployment model are supported.
  • Support for caller identity information in Azure Storage Analytics logging is coming soon.
  • Azure AD authorization of access to resources in standard storage accounts is currently supported. Authorization of access to page blobs in premium storage accounts will be supported soon.
  • It supports preserving NTFS ACLs for data import to Azure Files over SMB. You can copy the ACLs  to directory/file simply with robocopy command.
  • Azure AD authentication over SMB is not supported for on-premises machines accessing Azure Files.
  • Azure AD authentication is available only for storage accounts created after September 24, 2018.
  • Azure AD authentication over SMB and NTFS ACL persistent is not supported on Azure file shares managed by Azure File Sync Service.
  • Azure Files enforces standard NTFS file permission on the folder and file level, including the root directory.
  • The preview release supports viewing permissions with Windows File Explorer only. Editing permissions is not yet supported.
  • No Geo based redundancy since Azure AD DS is still only within a single region.

 

Leave a Reply

Scroll to Top